On 24/01/2022 18.57, Simon Glass wrote:
And the thing about "adding the signature" - yes, indeed, _signing_ can and should be done after building. But that is not at all what this started with, this is about embedding the metadata that U-Boot (or SPL) will need for _verifying_ during the build itself - when the private key may not even be available. Again, I think that it's a fundamental design bug that generating and adding that metadata in the form needed by U-Boot can only be done as a side effect of signing some unrelated image.
It is a side effect of signing *the same* image, i.e. the image that holds the signature and the public key. There is only one image, the firmware image produced by binman.
Huh? Are we talking about the same thing? What you write makes no sense at all.
Rasmus